Eliminate the last two kdc_active_realm macros from realm_data.h (left
behind after commits 0a2f14f752c32a24200363cc6b6ae64a92f81379 and e987546b4ff1689bb711cc46118ad9fc0a5613f6). Where code is affected,
use the names "context" and "realm". Pass contexts instead of realm
data structures to several functions which only need a context.
Every caller of cms_signeddata_create() and cms_envelopeddata_create()
passes 1 for include_certchain. Remove the parameter and
unconditionally add the certificate chain.
Julien Rische [Wed, 1 Jun 2022 16:02:04 +0000 (18:02 +0200)]
Set reasonable supportedCMSTypes in PKINIT
The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know
the algorithms it supports for verification of the CMS data signature.
(The MIT krb5 KDC currently ignores this list, but other
implementations use it.)
Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption.
[ghudson@mit.edu: simplified code and used appropriate helpers; edited
commit message]
Greg Hudson [Thu, 23 Jun 2022 20:41:40 +0000 (16:41 -0400)]
Simplify plugin loading code
Remove the USE_CFBUNDLE code, which was only used by KfM. Handle
platform conditionals according to current practice. Use
k5_dir_filenames() instead of opendir() and remove the Windows
implementation of opendir().
sashan [Fri, 17 Jun 2022 22:05:32 +0000 (00:05 +0200)]
Fix PKCS11 module path search
Commit c5c11839e02c7993eb78f2c94c75c10cf93f2195 switched the loading
of the PKCS#11 module from dlopen() to krb5int_open_plugin(). Because
krb5int_open_plugin() includes a stat() test, this change has the
unintended consequence of requiring the module name to be an absolute
or relative path to the library, not a filename within the dynamic
linker search path.
Within krb5int_open_plugin(), only stat() the filename on the
platforms which will use the file type.
[ghudson@mit.edu: adjusted conditionals to call stat() on Windows;
rewrote commit message]
Greg Hudson [Fri, 3 Jun 2022 18:28:26 +0000 (14:28 -0400)]
Improve k5test daemon checking
Instead of checking daemon exit statuses prior to termination, check
them after we send SIGTERM. This way we will notice when asan causes
an unsuccessful exit due to memory leaks, or when a daemon crashes in
its exit handling.
Greg Hudson [Fri, 3 Jun 2022 18:38:45 +0000 (14:38 -0400)]
Free verto context later in KDC cleanup
The KDC supplies the verto context to kdcpreauth modules via the loop
method (added in commit 83b4ecd20e50ad330cd761977d5dadefe30a785b).
This context should remain valid until kdcpreauth modules are
unloaded, as modules might refer to it during cleanup. In particular,
the OTP module references the verto context when freeing the RADIUS
client object (commit e89abc2d4ea1fea1ec28d470f297514b828e4842), which
can cause a memory error during KDC shutdown without this change.
sashan [Sun, 29 May 2022 08:32:57 +0000 (10:32 +0200)]
Fix uncommon PKINIT memory leak
PKINIT per-request module data objects are normally created by
pkinit_server_verify_padata() and freed by
pkinit_server_return_padata(). In some unusual circumstances, the KDC
may not call the return_padata method after verification succeeds.
Add a free_modreq method and free the object there instead.
sashan [Thu, 26 May 2022 06:51:10 +0000 (08:51 +0200)]
Fix memory leak in SPAKE kdcpreauth module
Commit ff57dc682a27bd205d715f3c0bed84890f2453c4 introduced a memory
leak into verify_response(). reply_key is no longer passed to the
callback and therefore needs to be freed by this function.
Simo Sorce [Thu, 19 May 2022 16:27:40 +0000 (12:27 -0400)]
Read GSS configuration files with mtime 0
There is at least one case (with flatpaks) where configuration files
in the special read-only /etc all have an mtime of 0. Using an
initial last modified time of 0 in g_initialize.c causes these files
to never be read.
Change the initial high value to the be the "invalid" value
(time_t)-1. Since the C and POSIX standards do not require time_t to
be signed, special-case the checks in load_if_changed() and
updateMechList() to treat all mod times as newer than -1.
Ken Hornstein [Wed, 4 Aug 2021 03:18:27 +0000 (23:18 -0400)]
Support macOS 11 native credential cache
Add an API credential cache implementation using the CCAPI stubs in
the macOS Kerberos framework, tailored to access the native
collections used by macOS 10.6 and later (KCM before macOS 11, XCACHE
afterwards). Make API: the default ccache name for macOS 10.6 and
later.
[ghudson@mit.edu: used shared CCAPI credential conversion functions;
changed ptcursor behavior to match current Unix collection semantics;
adjusted naming and code style]
Greg Hudson [Mon, 9 May 2022 14:55:41 +0000 (10:55 -0400)]
Remove krb5_aprof_init() and krb5_aprof_finish()
These functions are not part of the API, as they are prototyped in the
internal header adm_proto.h. Stop using them in kdc/main.c (instead
using the context profile) and stop defining them.
Greg Hudson [Tue, 3 May 2022 05:56:05 +0000 (01:56 -0400)]
Omit LDFLAGS from krb5-config --libs output
Linker options supplied at configure time (such as -Wl,--as-needed)
can be harmful when applied to downstream users of the libraries, and
in most cases should not be necessary.
Greg Hudson [Mon, 28 Mar 2022 23:06:29 +0000 (19:06 -0400)]
Fix iprop with fallback
kpropd produces a client principal name with
krb5_sname_to_principal(), then converts it to a string to pass as the
client principal to kadm5_init_with_skey(). This conversion loses the
name type, so no canonicalization is performed by libkadm5.
Commit dcb79089276624d7ddf44e08d35bd6d7d7e557d2 addresses this problem
for kadmin -k by looking for the referral realm, but kpropd sets the
realm in the krb5_sname_to_principal() result. Add an additional
check for a two-component principal with kiprop as the first
component.
Greg Hudson [Fri, 4 Mar 2022 05:45:00 +0000 (00:45 -0500)]
Try harder to avoid password change replay errors
Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed
change_set_password() to prefer TCP. However, because UDP_LAST falls
back to UDP after one second, we can still get a replay error due to a
dropped packet, before the TCP layer has a chance to retry.
Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server. In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.
Julien Rische [Wed, 19 Jan 2022 18:46:08 +0000 (19:46 +0100)]
Make kprop work for dump files larger than 4GB
If the dump file size does not fit in 32 bits, encode four zero bytes
(forcing an error for unmodified kpropd) followed by the size in the
next 64 bits.
Add a functional test case, but only run it when an environment
variable is set, as processing a 4GB dump file is too
resource-intensive for make check.
[ghudson@mit.edu: edited comments and commit message; eliminated use
of defined constant in some cases; added test case]
Tianjiao Yin [Mon, 7 Feb 2022 08:48:05 +0000 (00:48 -0800)]
Replace macros with typedefs in gssrpc types.h
Defining bool_t and enum_t with the preprocessor conflicts with
namespaced declarations in fbthrift's headers. Use typedefs to avoid
this conflict and for consistency with other Sun RPC implementations.
Greg Hudson [Tue, 25 Jan 2022 23:09:21 +0000 (18:09 -0500)]
Clarify certauth interface documentation
Try to make it clearer that princ is the requested client principal,
not a principal extracted from the certificate, and that the module
must decode the certificate and inspect its attributes. Document
KRB5_CERTAUTH_HWAUTH_PASS in certauth_plugin.h.
Greg Hudson [Wed, 23 Feb 2022 05:31:13 +0000 (00:31 -0500)]
Run Windows CI on windows-2019 image for now
The Github Actions windows-latest runner label now uses Windows Server
2022, which requires different setup steps for the Visual Studio
environment and does not contain CRT merge modules for VS 2022 (though
it does for VS 2017). For now, run the Windows build on windows-2019.
Greg Hudson [Fri, 28 Jan 2022 15:44:21 +0000 (10:44 -0500)]
Remove unneeded SPAKE free_modreq method
Commit ff57dc682a27bd205d715f3c0bed84890f2453c4 removed the use of
per-request module data in SPAKE, but neglected to remove the
corresponding free_modreq method.
Greg Hudson [Fri, 21 Jan 2022 15:58:46 +0000 (10:58 -0500)]
Avoid passing null for asprintf strings
It is undefined behavior to pass null to a printf function for a %.*s
substitution, even if the accompanying length is zero. OpenBSD
generates syslog warnings from libc when it sees a null pointer in a
string substitution (reported by Nathanael Rensen).
krb5_sname_to_principal() passes a null pointer in the usual case
where there is no port trailer. Address this case and others where we
use asprintf() with %.*s substitutions and might pass null, either by
avoiding the use of asprintf() or by ensuring that the pointer isn't
null.
Greg Hudson [Tue, 18 Jan 2022 22:06:46 +0000 (17:06 -0500)]
Pass client flag to KDB for client preauth match
In the kdcpreauth match_client() callback, if it is necessary to look
up the given principal in the KDB, pass KRB5_KDB_FLAG_CLIENT to
krb5_db_get_principal(). Samba requires this flag to properly handle
enterprise client principals.
Greg Hudson [Thu, 13 Jan 2022 19:33:14 +0000 (14:33 -0500)]
Implement replaced_reply_key input to issue_pac()
If a kdcpreauth module fully replaces the reply key during an AS
request, pass the reply key as the replaced_reply_key input to
issue_pac(). In Windows environments this is used to provide an NTLM
hash to the LSA when the client cannot be presumed to have a password
to derive it from.
To test this, add a fake PAC_CREDENTIALS_INFO buffer to the PAC in the
test KDB module, and alter adata.c to display the set of PAC buffer
types when a PAC is present.
Greg Hudson [Thu, 13 Jan 2022 17:58:32 +0000 (12:58 -0500)]
Add replace_reply_key kdcpreauth callback
Provide an explicit way for kdcpreauth modules to replace the reply
key, and internally track when the reply key is fully replaced (as
opposed to strengthened by replacing it with a derivative of the
client long-term key). Use this facility in the FAST OTP, PKINIT, and
SPAKE kdcpreauth modules.
Greg Hudson [Mon, 24 Jan 2022 16:20:12 +0000 (11:20 -0500)]
Add k5test.py facilities for PKINIT
Add the global variables pkinit_enabled and pkinit_certs. Add the
realm flag pkinit=True. Add the realm method pkinit(). Use these
facilities in t_pkinit.py, t_certauth.py, and t_authdata.py.
Greg Hudson [Sat, 8 Jan 2022 03:41:30 +0000 (22:41 -0500)]
Replace AD-SIGNEDPATH with minimal PACs
Remove all of the AD-SIGNEDPATH code. Instead, issue a signed minimal
PAC in all tickets and require a valid PAC to be present in all
tickets presented for S4U operations. Remove the get_authdata_info()
and sign_authdata() DAL methods, and add an issue_pac() method to
allow the KDB to add or copy buffers to the PAC. Add a disable_pac
realm flag.
Microsoft revised the S4U2Proxy rules for forwardable tickets. All
S4U2Proxy operations require forwardable evidence tickets, but
S4U2Self should issue a forwardable ticket if the requesting service
has no ok-to-auth-as-delegate bit but also no constrained delegation
privileges for traditional S4U2Proxy. Implement these rules,
extending the check_allowed_to_delegate() DAL method so that the KDC
can ask if a principal has any delegation privileges.
Combine the KRB5_KDB_FLAG_ISSUE_PAC and
KRB5_FLAG_CLIENT_REFERRALS_ONLY flags into KRB5_KDB_FLAG_CLIENT.
Rename the KRB5_KDB_FLAG_CANONICALIZE flag to
KRB5_KDB_FLAG_REFERRAL_OK, and only pass it to get_principal() for
lookup operations that can use a realm referral.
For consistency with Active Directory, honor the no-auth-data-required
server principal flag for S4U2Proxy but not for S4U2Self. Previously
we did the reverse.
Isaac Boukris [Fri, 7 Jan 2022 18:46:24 +0000 (13:46 -0500)]
Add PAC ticket signature APIs
Microsoft added a third PAC signature over the ticket to prevent
servers from setting the forwardable flag on evidence tickets. Add
new APIs to generate and verify ticket signatures, as well as defines
for this and other new PAC buffer types. Deprecate the old signing
functions as they cannot generate ticket signatures. Modify several
error returns to better match the protocol errors generated by Active
Directory.
[ghudson@mit.edu: adjusted contracts for KDC requirements; simplified
and commented code changes; wrote commit message. rharwood@redhat.com
also did some work on this commit.]
Isaac Boukris [Sun, 26 Dec 2021 01:28:41 +0000 (03:28 +0200)]
Don't fail krb5_cc_select() for no default realm
If the target server principal is a host-based service without
multiple dotted components and no default realm is configured,
krb5_cc_select() can fail, and therefore gss_init_sec_context().
Continue without filling in the realm in this case.
[ghudson@mit.edu: edited commit message and comment; slightly adjusted
flow control]
Nikhil Benesch [Wed, 22 Dec 2021 23:58:17 +0000 (18:58 -0500)]
Remove unnecessary flag in macOS build
The configuration logic for adding the `-search_paths_first` linker
flag on Darwin does not correctly handle cross compilation. It should
check the value of $krb5_cv_host rather than `uname -s` to detect when
the compilation target is Darwin, rather than the build machine.
It turns out `-search_paths_first` has been the default behavior of ld
on macOS since XCode 4. So just remove that bit of logic entirely.
(The flag was added in commit acd27af0e845f8b93de2e226cc2ec9ac8af52077
in 2004; XCode 4 was released in 2010.)
Greg Hudson [Sat, 11 Dec 2021 06:25:34 +0000 (01:25 -0500)]
Use 14 instead of 9 for unkeyed SHA-1 checksum
Although MIT krb5 had been using the value 9 for unkeyed SHA-1 since
its 1.0 release in 1996, RFC 3961 instead assigned this value to
rsa-md5-des3 (likely never used), and assigned the values 10 and 14 to
SHA-1. Heimdal and Microsoft use the value 14. Unkeyed SHA-1 almost
never appears on the wire, but has been seen in PKINIT asChecksum
fields in replies from Windows KDCs (despite the field being specified
as a keyed checksum).
Define a new symbol CKSUMTYPE_SHA1 with the value 14, and use it where
we currently use CKSUMTYPE_NIST_SHA. Continue to allow the value 9
for ABI compatibility. Remove the pkinit_clnt.c workaround as the
value 14 will now work without adjustment.
Greg Hudson [Thu, 2 Dec 2021 00:35:32 +0000 (19:35 -0500)]
Fix PAC handling of authtimes after y2038
Remove the unnecessary handling of negative inputs in
k5_time_to_seconds_since_1970() and k5_seconds_since_1970_to_time(),
and cast the krb5_timestamp input to uint32_t to properly handle
values after y2038.
Commit 3b163eed1cf1f55dd4a7bc6d6fffc34f55695b00 mistakenly separated
the call to kdc_process_s4u2self_req() from its error check, causing
the KDC to ignore S4U2Self padata with bad checksums. Restore the
error check so that the KDC replies with an error as intended.
[ghudson@mit.edu: removed old error check later on in the code;
rewrote commit message]
Greg Hudson [Tue, 19 Oct 2021 14:42:34 +0000 (10:42 -0400)]
Use OpenSSL CMAC implementation with OpenSSL 3
Make krb5int_cmac_checksum() a crypto module interface. Move the
existing CMAC implementation from krb to builtin. Add an OpenSSL 3
implementation using EVP_MAC. Only implement Camellia CBC-MAC if
using the builtin CMAC implementation (it uses functions deprecated in
OpenSSL 3). Switch to using krb5int_camellia_encrypt() for
camellia-test.c since krb5int_camellia_cbc_mac() won't always be
available.
[ghudson@mit.edu: made the new SHA-1 and key decryption code work with
all suported OpenSSL versions with just one implementation; added
Diffie-Hellman changes]
In OpenSSL's terminology, id-pkinit-kdf is an instance of SSKDF,
AES-SHA2 and Camellia use KBKDF, and the KDF for DES3 and AES-SHA1 has
been named KRB5KDF. Support for these KDFs was added in OpenSSL 3; we
already supported the existing PBKDF2.
[ghudson@mit.edu: reorganize into builtin and openssl versions of the
file; detect hash and encryption provider identity using pointer
equality like we do in the OpenSSL PBKDF implementation; add helpers
for this translation; simplify and better refactor the PKINIT code;
fix some latent pkinit_kdf_test.c bugs]
Sumit Bose [Mon, 8 Nov 2021 16:48:50 +0000 (17:48 +0100)]
Support larger RADIUS attributes in libkrad
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
Otherwise attributes longer than 125 characters will be rejected with
EBADMSG.
Add a 253-character-long NAS-Identifier attribute to the tests to make
sure that attributes with the maximal number of characters are working
as expected.
[ghudson@mit.edu: used uint8_t cast per current practices; edited
commit message]
Greg Hudson [Tue, 9 Nov 2021 18:00:43 +0000 (13:00 -0500)]
Avoid use after free during libkrad cleanup
libkrad client requests contain a list of references to remotes, with
no back-references or reference counts. To prevent accesses to
dangling references during cleanup, cancel all requests on all remotes
before freeing any remotes.
Remove the code for aging out unused servers. This code was fairly
safe as all requests referencing a remote should have completed or
timed out during an hour of disuse, but in the current design we have
no way to guarantee or check that. The set of addresses we send
RADIUS requests to will generally be small, so aging out servers is
unnecessary.
Greg Hudson [Fri, 5 Nov 2021 23:22:32 +0000 (19:22 -0400)]
Remove pkinit_kdf_constants.c
Commit 9a0575f84e988a23709429f7d4e626db833ab562 renamed this file to
pkinit_constants.c but neglected to remove it. Remove it now, and
also regenerate dependencies.
Greg Hudson [Thu, 28 Oct 2021 04:00:20 +0000 (00:00 -0400)]
Use EVP key agreement in PKINIT
In pkinit_crypto_openssl.c, use EVP_PKEY objects and interfaces to
perform DH operations to the extent possible in OpenSSL 1.0 and 1.1.
Define helper functions for DH operations to make it easier to
conditionalize on OpenSSL version.
Greg Hudson [Mon, 25 Oct 2021 05:51:59 +0000 (01:51 -0400)]
Use OpenSSL SubjectPublicKeyInfo parsing in PKINIT
Shift responsibility for encoding and decoding SubjectPublicKeyInfo
from libkrb5 to the PKINIT ASN.1 module. OpenSSL 1.0 does not support
DHX (RFC 3279 section 3), so for that version use custom ASN.1
marshalling of the parameters and compose that into
SubjectPublicKeyInfo marshalling using X509_PUBKEY.
Greg Hudson [Sat, 23 Oct 2021 20:40:23 +0000 (16:40 -0400)]
Use pre-encoded DH parameter constants in PKINIT
Rename pkinit_kdf_constants.c to pkinit_constants.c and add encodings
of the three well-known Oakley groups. Use them to greatly simplify
pkinit_create_td_dh_parameters() and eliminate make_oakley_dh().
Change the interface for decoding parameters to take a krb5_data
pointer for caller convenience.
Ken Hornstein [Thu, 30 Sep 2021 21:10:06 +0000 (17:10 -0400)]
Support KRB5_CERTAUTH_HWAUTH_PASS in certauth
If a certauth module returns KRB5_CERTAUTH_HWAUTH_PASS, the certauth
accumulator sets the hw-authent flag in the ticket (like it would for
KRB5_CERTAUTH_HWAUTH), but defers authorization to other modules (like
it would for KRB5_PLUGIN_NO_HANDLE).
[ghudson@mit.edu: simplify tests by removing the HWAUTH returns from
the test2 module and allowing it to pass by authenticating as nocert]
Greg Hudson [Fri, 8 Oct 2021 21:45:03 +0000 (17:45 -0400)]
Use builtin MD4, RC4 for OpenSSL 3.0
In OpenSSL 3.0, to use MD4 or RC4 one must load the "legacy" crypto
provider. To do this in libk5crypto, we would need to create and use
an OpenSSL library context to avoid interfering with other users of
the library. Tearing down this context at finalization time would be
further complicated by OpenSSL's use of atexit() for library
finalization, which causes its finalizer to be run earlier than
properly registered finalizers on Linux.
For simplicity, use the builtin implementations of MD4 and RC4 for
OpenSSL 3.0 and later. Also use the builtin DES key parity
implementation since OpenSSL 3.0 deprecates DES_set_odd_parity() with
no replacement.
Greg Hudson [Fri, 8 Oct 2021 21:44:15 +0000 (17:44 -0400)]
Make test PKINIT certs work with OpenSSL 3.0
Add shell functions to reduce repetition in make-certs.sh. Create
PKCS12 files with the -descert flag so that they can be read by
OpenSSL 3.0 without enabling the legacy provider.
Greg Hudson [Thu, 7 Oct 2021 14:45:26 +0000 (10:45 -0400)]
Allow selective overrides in crypto back-ends
In the build system, always descend into all crypto subdirectories and
build all library objects. Conditionalize each object (or
enc_provider/hash_provider entry) on a preprocessor symbol defined in
crypto_int.h.
Remove crypto_mod.h and the libk5crypto initialization and
finalization functions as they are not currently needed. Remove stub
directories in the openssl back-end as it is no longer required to
maintain the same directory structure as builtin.
Make CRYPTO_IMPL_CFLAGS work if it is set manually at configure time
(previously only CRYPTO_IMPL_LIBS worked).
Remove the fortuna and device PRNG modules and PRNG modularity, and
move the prng_os implementation into prng.c. Remove the crypto_mod.h
requirement to implement failure-free AES256 and SHA256. Deprecate
krb5_c_random_add_entropy() and krb5_c_random_os_entropy() and remove
their call sites. Deprecate and ignore the -W (weak random) option to
kadmind and kdb5_util create, and stop using it in the test suite.
Isaac Boukris [Tue, 10 Aug 2021 14:50:35 +0000 (17:50 +0300)]
Fix verification of RODC-issued PAC KDC signature
Per [MS-PAC] 2.8, PAC_SIGNATURE_DATA may contain an RODCIdentifier
following the checksum. In k5_pac_verify_kdc_checksum(), do not
assume that the checksum spans the remainder of the buffer; instead,
look up the checksum length by its type.
[ghudson@mit.edu: edited commit message and comment; reordered code
for clarity]
Select an output credential cache using similar logic to kinit. Do
not require the target cache to be initialized.
Try to use the per-thread cache set by gss_krb5_ccache_name() if no
output cache was specified via a cred store.
When the destination is a collection, honor the default_cred flag by
switching the primary cache to the selected output cache. When the
destination is not a collection, ignore the default_cred flag.
(Previously the default_cred flag was mandatory for gss_store_cred()
even though it is an advisory flag, and ignored for
gss_store_cred_into() even if no ccache was specified in the cred
store.)
Honor the overwrite_cred flag by refusing to replace an initialized
cache if it is not set. Stop using gss_acquire_cred() for this
purpose as it could go out and fetch credentials from a client keytab.
Perform atomic replacement of the target cache when possible, using
krb5_cc_move().
Add a test harness for calling gss_store_cred() or
gss_store_cred_into() and a suite of tests. Fix a broken trace log
message for krb5_cc_move() and update the expected trace logs for an
existing t_credstore.py test.
Pavel Březina [Wed, 8 Sep 2021 13:44:30 +0000 (15:44 +0200)]
Constify name field in four plugin vtables
For consistency with the other plugin vtables, declare the name field
as const char * in the audit, authdata, clpreauth, and kdcpreauth
pluggable interface headers.
Robbie Harwood [Wed, 15 Feb 2017 02:19:45 +0000 (21:19 -0500)]
Find gss_get_mic_iov extensions in GSS modules
Commit d750ef3130b76dd079e863ed395eb3620a37386b added
gss_get_mic_iov(), gss_verify_mic_iov(), and gss_get_mic_iov_length(),
but did not add them to the symbols looked up in external GSS modules
and interposer modules. Add them now.
Robbie Harwood [Wed, 15 Feb 2017 02:18:55 +0000 (21:18 -0500)]
Clarify and correct interposer plugin docs
Most importantly, note for gss_import_name() that the mechanism OID
encoding includes the ASN.1 tag prefix (per RFC 2743 section 3.2), and
add the length prefix for the mechanism token. For
gss_import_sec_context() and gss_import_cred(), note that the
concatenated OID must be used.
[ghudson@mit.edu: reverted part of gss_import_cred() change; reworded
gss_import_name() change; rewrote commit message]
Greg Hudson [Tue, 3 Aug 2021 03:15:12 +0000 (23:15 -0400)]
Add more dump.c bounds checks
Although dump files are privileged inputs, the code to read them
should not admit integer overflows. Add bounds checks for several
fields which are used as allocation lengths or are assigned to
structure fields of smaller size and different signedness. Reported
by Sharwan Ram and Kihong Keo.
Greg Hudson [Tue, 17 Aug 2021 15:26:59 +0000 (11:26 -0400)]
Perform atomic ccache refreshes when possible
Allow ccache types to implement atomic replacement via a new replace
method (replacing the unused "move" vtable slot). Make krb5_cc_move()
use this method when possible, falling back to non-atomic replacement.
Implement atomic replacement for FILE, DIR, MEMORY, and KCM (using a
new opcode, falling back when it is not implemented).
Use krb5_cc_move() in get_in_tkt.c when an output ccache is specified,
in kinit for ticket validation and renewal, and in kvno --out-cache.
Add a test program to exercise concurrent krb5_get_credentials() and
cache refresh.
This commit does not implement atomic replacement for KEYRING or for
gss_store_creds().
Greg Hudson [Wed, 18 Aug 2021 16:07:04 +0000 (12:07 -0400)]
Fix conformance issue in GSSAPI tests
Although some C compilers allow a function returning void to be called
in a return statement from another function returning void, it isn't
conformant and generates an error from (at least) the HP-UX native
compiler. Reported by Michael Osipov.
Greg Hudson [Tue, 3 Aug 2021 05:15:27 +0000 (01:15 -0400)]
Fix KDC null deref on TGS inner body null server
After the KDC decodes a FAST inner body, it does not check for a null
server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
would typically result in an error from krb5_unparse_name(), but with
the addition of get_local_tgt() it results in a null dereference. Add
a null check.
Reported by Joseph Sutton of Catalyst.
CVE-2021-37750:
In MIT krb5 releases 1.14 and later, an authenticated attacker can
cause a null dereference in the KDC by sending a FAST TGS request with
no server field.
Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
management of krb5_gss_inquire_cred(), introducing defcred to act as
an owner pointer when the function must acquire a default credential.
The commit neglected to update the code to release the default cred
along the successful path. The old code does not trigger because
cred_handle is now reassigned, so the default credential is leaked.
Unify the success and failure cleanup for this function so that
defcred is properly released on success.
Reorganize ec_verify() and ec_return() to use cleanup labels instead
of if-ladders. Also use unconditional calls to free functions and
change a few variable names.
Joseph Sutton [Tue, 6 Jul 2021 23:47:44 +0000 (11:47 +1200)]
Fix KDC null deref on bad encrypted challenge
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
to avoid further processing if the armor key is NULL. However, this
check is bypassed by a call to k5memdup0() which overwrites retval
with 0 if the allocation succeeds. If the armor key is NULL, a call
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
crash. Add a check before the k5memdup0() call to avoid overwriting
retval.
CVE-2021-36222:
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
cause a null dereference in the KDC by sending a request containing a
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
[ghudson@mit.edu: trimmed patch; added test case; edited commit
message]
Robbie Harwood [Wed, 26 May 2021 22:22:10 +0000 (18:22 -0400)]
Clean up gssapi_krb5 ccache name functions
Modernize kg_get_ccache_name() and kg_get_ccache_name(). Drop
unnecessary use of const in kg_get_ccache_name() so that its return
value can be properly freed. Fixes some static analyzer false
positives.
Robbie Harwood [Sat, 29 May 2021 18:54:56 +0000 (14:54 -0400)]
Modernize pkinit_get_certs_pkcs11
Remove unusable PKINIT_USE_MECH_LIST code since there's no build
system support and it would leak mechp. Factor out the code to load a
cert from the card. Avoid mixing PKCS11 and krb5 error codes. Fix
leaks of cert and cert_id reported by Coverity.
Robbie Harwood [Sat, 29 May 2021 17:25:59 +0000 (13:25 -0400)]
Fix use-after-free during krad remote_shutdown()
Since elements of the queue can be removed on out-of-memory errors,
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
Reported by Coverity.
projects / thirdparty / krb5.git / log
